Protecting Exchange Server Data at Rest

When I think about messaging and collaboration, security is never far from my mind. Most of the time, Microsoft Exchange Server and Office Communications Server (OCS) administrators think of security as a matter of data integrity: protecting against threats from malware and spam. Sometimes, we consider security as a matter of confidentiality, but in most cases we think of confidentiality as something to protect while messages are in motion from place to place. That attitude explains the popularity of Transport Layer Security (TLS) for SMTP, along with Microsoft's sound decision to automatically deploy self-signed certificates for TLS protection in Exchange 2010 and Exchange 2007.

However, protecting data at rest is important, too. An attacker who can steal data from your Exchange servers can get essentially the whole enchilada: all of your email (or at least all of it from that server) in a convenient, portable form that can easily be read by third-party tools from AppAssure, Kroll Ontrack, and others. What can you do to protect yourself?

First, you have to understand that Exchange itself doesn't provide any means of encrypting Exchange mailbox or public folder databases. Microsoft SQL Server has the ability to encrypt individual database fields or entire databases, but Exchange hasn't gotten around to including this functionality. Fortunately, there are both hardware and software options that you can deploy, often at little or no additional cost.

Let's start with software. Microsoft ships two separate but complementary encryption tools in Windows Server 2008 and Server 2008 R2. The first tool is the Encrypting File System (EFS), which you can use to securely encrypt files and folders on NTFS volumes. Microsoft doesn't support the use of EFS with Exchange\[But you could do it anyway if you were daring—or foolhardy—enough?\] In fact, the Microsoft Exchange Best Practices Analyzer warns you if it notices you doing so. You can still use EFS, and it might even work for you, but Microsoft disclaims all obligation to help you when it goes off the rails.

The second software option, Windows BitLocker Drive Encryption (BDE), protects entire disk volumes, not just selected files or folders. BDE, explained well in the Jan De Clercq article "A Better BitLocker: BDE Enhancements," is fully supported by Microsoft for Exchange 2010 and Exchange 2007, provided that you do the necessary Jetstress testing to verify that the small performance impact of BitLocker won't be a problem for your Exchange deployment. Microsoft characterizes the BDE performance hit as "in the single digits," which is borne out by my own use of BDE. BDE is easy to deploy and manage, and it lets you store recovery keys securely in Active Directory to reduce the risk of data loss when a drive fails. However, BDE requires that your servers have Trusted Platform Module (TPM) hardware support, and not all servers include it.

If you'd rather, you can use hardware disk encryption to protect your data. A couple of years ago, the US National Security Agency (NSA) approved Seagate's Momentus FDE line of 2.5" disks for securing data at rest in laptops, so these drives have become fairly common in government use. Earlier this fall, Seagate announced several lines of server-grade disks, in both 2.5" and 3.5" form factors, that use the same encryption technology and have the same approval from the NSA.

The problem with these drives is that you can only use one of them at a time in a server because the BIOS mechanism that lets you unlock the drive at boot time can't deal with multiple encrypted drives. Luckily, Seagate has a solution for that: LSI Corporation and Intel make hardware (RAID cards and motherboards respectively) that support hardware RAID with multiple encrypted drives. I'll be testing this approach with Exchange (and Jetstress) and will report back on how well it works in a future UPDATE column.

Of course, no matter how you encrypt your data at rest, it's still critical that you're able to restore it when needed! Be careful if you decide to experiment with BitLocker on your servers.